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Abstract 

This paper describes the Safety, Reliability and 
Quality Assurance (SR&QA) approach developed for the 
first large wind turbine generator project, MOD-OA. 

The SR&QA approach to be used had to assure that the 
machine would not be hazardous to the public or oper- 
ating personnel, would operate unattended on a utility 
grid, would demonstrate reliable operation and would 
help establish the quality assurance and maintainability 
requirements for future wind turbine projects. Since 
the ultimate objective of the wind energy program is to 
provide wind power at a cost competitive with other en- 
ergy sources, the final SR&QA activities were to be ac- 
complished at a minimum of cost and manpower. The final 
approach consisted of a modified Failure Modes and Ef- 
fects Analysis (FMEA) during the design phase, minimal 
hardware inspections during parts ' fabrication, and three 
simple documents to control activities during machine 
construction and operation. This low cost approach has 
worked well enough that it should be considered by 
others for similar projects. 

Introduction 

The NASA Lewis Research Center is conducting re- 
search and development of large horizontal axis Wind 
Turbine Generators for the Department of Energy as one 
phase of the overall Federal Wind Energy Program. Wind 
turbines ranging in size from 100 kilowatts (kW) to 
3000 kW are being designed and built as part of this 
program. The object of the program is to develop wind 
turbines which will generate electricity at a cost 
which is competitive with alternatives, particularly 
oil. This paper describes* the SR&QA approach developed 
for the first large wind turbine project, MOD-OA, a 
200 kW, 125- foot diameter machine. This project is a 
combination of in-house and contracted effort and is a 
unique joining of aerospace technology and standard 
utility practices. This project forms the base for fu- 
ture development of large wind turbines. 

Machine Description 

A photograph of one MOD-OA machine, located on 
Culebra Island, Puerto Rico, is shown as Figure 1. 
Identical machines are located in Clayton, New Mexico, 
and on Block Island, Rhode Island. A fourth machine 
will be installed on Oahu, Hawaii in the spring of 1980 
and should be in operation about mid-year. The two 
blades measure 125 feet, tip-to-tip. The hub center- 
line is 100 feet above ground level. The blades rotate 
at 40 rpm. The blades are mounted on the rotor hub, as 
shown in the cutaway drawing included as Figure 2. The 
pitch actuator pitches the blades through a set of 
bevel gears located inside the hub. The hub is attached 
to a low speed shaft which drives a speed increaser 
gearbox. A fluid coupling, attached to the 1800 rpm 
output shaft of the gearbox, helps dampen out power os- 
cillations. A high speed shaft then transmits power to 
V-belts which drive a synchronous alternator. The ma- 
chine is housed in an 8- foot diameter nacelle and is 
mounted on a turntable bearing located on top of a 
truss tower. A dual yaw drive system keeps the' machine 
aligned with the wind. 


The wind turbine is controlled by a microprocessor, 
two closed loop servo systems, and a safety system. The 
microprocessor is the heart of the control system. It 
continually monitors machine status and wind conditions. 
When the wind speed reaches 12 mph, the microprocessor 
signals the pitch controller to start pitching the 
blades, gradually increasing blade rotation. When the 
alternator reaches synchronous speed, the alternator is 
synchronized with the utility grid. After synchroniza- 
tion, the blades remain in the full power position, gen- 
erating increasing power as the winds increase, until 
the full output of 200 kW is reached at a wind speed of 
24 mph. As winds increase further, the blades gradually 
feather, spilling some of the wind, to maintain the 200- 
kW output. 

If the wind speed drops below 10 mph, the machine 
is shut down. If the wind speed increases above 40 mph, 
the machine is shut down to avoid high blade loads . 

When the wind speed drops back to 35 mph, the machine is 
restarted. The microprocessor also monitors several non- 
critical variables to shut the machine down if necessary. 

The first closed loop servo system regulates the 
pitch of the blades. Blade pitch regulates machine 
speed from initial blade rotation until synchronization 
with the utility grid and regulates the power generated 
after synchronization. The second closed loop servo 
measures the difference between the actual wind direc- 
tion and the nacelle direction to keep the machine 
aligned with the wind. The machine operates with the 
blades downwind and is kept aligned within 25® of the 
wind direction. 

The safety system, as the name implies, measures 
several operating variables, shutting the machine down 
if any of these variables go out of limits. These vari- 
ables include overspeed, overcurrent, pneumatic and hy- 
draulic pressures, several over temperatures, and high 
vibration, plus several others. In most cases, the 
Safety System shutdown signal goes into the microproces- 
sor, but there are several signals which directly shut 
the machine down, regardless of what the microprocessor 
or servo controllers are doing. 

Background 

The Reliability and Quality Assurance (R&QA) Office 
was given the responsibility to determine the safety, 
reliability, and quality assurance requirements that 
were to be incorporated for these machines. In the 
past, the R&QA Office had been mainly concerned with 
launch vehicles, spacecraft, and aircraft engines. A 
wide variety of SR&QA techniques have been used on these 
programs. The list of these techniques is long and need 
not be discussed here. Looking at this type of back- 
ground, the Wind Energy Project Office, which manages 
the wind turbine projects at NASA Lewis Research Center, 
was very concerned that we would initiate "expensive, 
time consuming, aerospace R&QA techniques" on their low 
cost program. We assured the project office that a very 
conscious effort would be used to keep the requirements 
at an absolute minimum . 

This problem was further complicated by a unique 
combination of in-house and contract effort. The ma- 
chine was designed in-house. Originally, this was a 
three machine program and the schedule was very tight. 
Therefore, Lewis Research Center ordered a few long- lead 
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items for all three machines, several additional items 
for two machines, and all hardware for the first ma- 
chine. The first machine was assembled in-house. The 
contractor was responsible for erection of the first 
machine, assembly and erection of the second machine 
(including the purchase of the remaining parts), and 
essentially all phases of the third machine. When the 
fourth machine was added, the contractor was given 
total responsibility for that machine. This meant that 
the SR&QA program had to operate under several combina- 
tions of in-house and contractor effort. The operation 
of the machine by the utility also had to be considered. 

Safety and Reliability Approach 

It was felt that one person could handle the B&QA 
efforts for the MDD-OA project. Therefore, the writer 
was assigned as the Product Assurance Manager (PAM), 
with responsibility for choosing the SR&QA requirements 
to be initiated for the program. The working relation- 
ship between the PAM and the Wind Power Office is shown 
in Figure 3. The PAM works in parallel with the Project 
Engineer, coordinating all activities through him. Al- 
though the working relationship between the PAM and the 
Project Engineer has been excellent for this project, 
the PAM has the option of going directly to higher 
levels of supervision, including the Center Director if 
necessary, in case of a dispute between the PAM and the 
Project Office. 

As implied by the concerns of the Project Office, 
our normal aerospace B&QA procedures and paperwork did 
not seem to apply directly to a project of this type. 
However, we found that with some minor modifications, 
some standard procedures and paperwork could be modi- 
fied for use on the wind turbine project. 

The FMEA, the Preliminary Hazards Analysis, and 
the Operations Hazards Analysis can be listed on very 
similar forms and many of the entries are the same. In 
some previous projects, we were successful in having 
one person or team simultaneously review the project 
from a safety standpoint and from a reliability (or 
failure modes) standpoint. The results of this com- 
bined analysis can be listed on a relatively standard 
FMEA form. This could really be considered a System 
Safety review, since each possible failure is reviewed 
for its effects on the machine (reliability) as. well as 
on personnel (safety). This combined FMEA technique 
works quite well and results in significant manpower 
savings. However, there is one drawback to this tech- 
nique. Although it is easy to list failures that are 
not safety problems, it is just as easy to overlook 
safety problems which are not caused by equipment fail- 
ures. Examples of this might be personnel getting 
caught in rotating machinery, shock hazards due to ex- 
posed terminals, or operator errors. These safety re- 
lated items can also be handled using the combined FMEA 
if the reviewer makes a conscious effort to consider 
each of the hazards as a failure (failure of design - 
resulting in lack of proper guards; failure of opera- 
tor - to follow procedures; lack of good human engi- 
neering - resulting in operator error). 

After considering numerous B&QA and safety tech- 
niques, the PAM chose the modified FMEA to be the main 
tool for listing and analyzing the various possible 
failures, and the results or effects of those failures. 
Most of the FMEA was performed by the PAM and the 
Deputy Director of B&QA, with some additional help on 
one section by another member of the R&QA group. For 
the purposes of this project, the FMEA was performed 
for each functional mode of a system, subsystem, or 
component. The electrical portion of the FMEA was per- 
formed only to the black box level, showing only con- 
stant high level output or zero output. Wire harnesses, 
cables, and electrical connectors were considered to be 
part of the hardware. The level of detail in the me- 


chanical portion of the FMEA varied. For catalog, off- 
the-shelf components, only common types of failures were 
considered. A remote operated valve was considered to 
be in the failed open or failed closed position only. 

The only consideration required for a pressure contain- 
ment and distribution system was that the system pres- 
sure has dropped below the minimum safe operating level. 
Handvalves were considered part of the containment sys- 
tem and were assumed to be in the proper operating posi- 
tion unless the improper position was hazardous and 
could go undetected. It was not considered important to 
determine how or why a device failed, only that the fail 
ure could occur. The analysis was qualitative in nature 
and tt^e actual probability of occurrence of a failure 
was not considered. However, the more probable failures 
particularly those having severe consequences, were con- 
sidered for possible redesign or addition of redundant 
systems. The basic ground rule used throughout the 
analysis was that no single point failure would be cata- 
strophic even if a previous undetected failure had al- 
ready occurred. For single point failure items such as 
the blades, tower, machine bedplate, etc., it was veri- 
fied that the item had been designed to a safe operating 
life with a significant factor of safety. 

The FMEA was used extensively for design and opera- 
tional safety reviews. It emphasized the criticality of 
some hardware such as the blades and hub. Based on the 
FMEA, several design changes were made and redundant 
systems added. For example, the FMEA showed that the 
worst possible failure was rotor overspeed. Two possi- 
ble single point failures that could cause overspeed 
were jammed pitch change mechanism, with increasing 
wind, or a controller failure resulting in full power 
signal even at higher winds. As a result, a disc brake 
was added to the high speed shaft to stop the rotor, 
even with the blades in the full power position. Also, 
a redundant overs peed switch was added that would oper- 
ate the brake directly, rather than acting through the 
safety system as most of the other sensors do. The 
FMEA gave project management a qualitative evaluation 
of the degree of risk the design imposed on both per- 
sonnel and machine safety. Trade-offs of degree of 
risk versus the need for additional redundancy or 
periodic inspection or maintenance could then be as- 
sessed. The FMEA also proved very useful when new de- 
sign changes were being considered. 

To complete the reliability phase of the program, 
a simple Discrepance Report (DR) form was developed as 
the main failure reporting system. A sample DR is in- 
cluded as Figure 4. The DR form is also used to track 
failure analysis when required and to assure Initiation 
of engineering changes and to help control configura- 
tion. The form is based on discrepancy and failure re- 
port forms used in earlier programs and works quite 
well. The DR is also used as the basis for a summary 
of failure information to be put into our wind turbine 
experience data bank. 

A utility industry survey was initiated to deter- 
mine what quality requirements were Imposed by the util- 
ities on their suppliers. Several electrical generating 
equipment manufacturers were also contacted to determine 
their in-house programs . This survey indicated that we 
need not concern ourselves with the vendors of purchased 
electrical equipment. We have also had good experience 
with several of the vendors that had previously supplied 
identical or similar hardware. As a result of this sur- 
vey, good previous experience with the vendors, and the 
effort to keep costs down, there was very little govern- 
ment or required contractor inspection of purchased 
hardware early in the project. Only the most critical 
machined components were Inspected upon receipt. Very 
little was done on fabricated items and even less on 
catalog items. This turned out to be a mistake. Both 
NASA and the contractor quickly found that virtually all 
machined components had to have a thorough inspection 



performed, including all critical dimensions. Critical 
components need to be inspected at the vendors plant 
during machining and assembly to save cost and schedule 
problems later. These requirements were added in later 
procurements. We also found that it was wise to per- 
form some inspection and checkouts of the more important 
fabricated hardware, such as the switchgear. Where in- 
spection at the vendors plant was not practical, receiv- 
ing inspection activity was augmented. Highly stressed 
unique hardware such as the blades and hub were of par- 
ticular concern. Further developments indicated the 
need to maintain dimensional records of critical compo- 
nents during assembly and maintenance operations to al- 
low a continuing assessment of component performance in 
areas such as wear rates of sleeve bearings, deforma- 
tion of structural elements, etc. The one area where 
it has not been necessary to upgrade the quality pro- 
gram is for established, off-the-shelf components. We 
have experienced very few difficulties in this area. 

Two more activities round out the quality efforts 
on the project. An Engineering Work Order form is used 
to document changes made to the system. This form is 
virtually identical to the DR form in Figure 4, except 
for the Material Review Board items. This form docu- 
ments the change to be made and is used for configura- 
tion control. The form also assures all personnel that 
the project manager has given his approval to make the 
change. Finally, a daily log is kept for each phase of 
the project to record all significant activities. 

Most of the above discussion relating to Discrep- 
ancy Reports, Engineering Work Orders, inspection rec- 
ords (for recording dimensions, etc.) and the daily log 
was basically for our in-house efforts. However, we 
have been very successful in having each of our contrac- 
tors and each utility use their own internal paperwork 
system to perform the intent of each of the above docu- 
ments. For example, one of our contractors uses an In- 
spection Report form to document dimensions, etc, on 
incoming material as well as to report failures or dis- 
crepancies . They maintain a daily log to complete the 
R&QA requirements. Each utility maintains a daily log 
and reports all failures on their weekly summary re- 
ports. The Wind Power Office is responsible for fill- 
ing out a Discrepancy Report for each failure in the 
utility and for writing all necessary Engineering Work 
Orders . 

A Readiness Review is performed for each machine 
as the machine is being turned over to the utility for 
operation. This review is performed by two or three 
people who are knowledgeable about the machine, but 
are as independent of the Wind Power Office as possible. 
The assembly log books are reviewed to verify proper 
bolt torques, greases and oils have been added, subsys- 
tem checkouts were successful, etc. A checklist was 
assembled for this phase. The remainder of the activi- 
ties are rather informal. The machine is inspected at 
the site to verify that there is no shipping damage and 
that the machine appears to have been assembled proper- 
ly. The team verifies that operating procedures were 
written and reviewed by knowledgeable people and that 
all system checkouts were performed and were successful. 
Operator training is reviewed to be sure that the oper- 
ators understand the machine and know what they should 
and should not do. 


chine is turned over to the utility. Part of the qual- 
ity requirements are met by performing some vendor in- 
spections and inspecting all machined items and most of 
the fabricated items upon delivery. An inspection re- 
port is kept, recording all important dimensions. An 
Engineering Work Order form is used for configuration 
control. A daily log rounds out the quality control ac- 
tivities . 

This SB&QA approach has been successful in assuring 
safe operation of the units and in demonstrating those 
aspects of standard safety, reliability and quality 
practices which are most applicable and cost effective 
to this type hardware. We are in the process of getting 
good dimensional data on critical hardware and we have a 
good record of the configuration of each machine. The 
first MOD-OA has accumulated 5000 hours of synchronized 
time and has reached an overall Mean Time Between Fail- 
ures (MTBF) of 250 hours, with a MTBF of 310 hours aver- 
age over the last 6 months. Although this sounds low, 
several utilities have told us they feel this is excel- 
lent for this stage of a development program for a new 
power source. The approach we developed for the MOD-OA 
program has been sufficiently successful that similar 
approaches are being instituted on the newer, more ad- 
vanced machines leading to low cost commercialization of 
wind turbines . 

The SR&QA approach described in this paper has 
worked well enough that we are recommending that such an 
approach be considered for projects of similar complex- 
ity. The prime considerations are that the approach 
needs to be reasonable and flexible. 
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Conclusion 


The SR&QA approach described above was initiated 
on what was basically a research and development project 
and then revised and expanded as the demonstration as- 
pects of the project evolved. Part of the safety and 
reliability requirements are met by performing a modi- 
fied FMEA during' the design phase. A Discrepancy Report 
is used to record all failures and discrepancies. Fi- 
nally, a Readiness Review is performed before the ma- 




Figure 1. - IVIOD OA Wind Turbine at Culebra Island, Puerto Rico, 
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Figure Z - Cutaway drawing of tower mounted equipment. 



Figure 3. - Relationship of R&QA with Wind Power Office. 






NASA-C-12 tlTfev.' 2-757 


Figure 4. - Typical discrepancy report. 
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